Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction
|
|
- Posy McKenzie
- 8 years ago
- Views:
Transcription
1 Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction The purpose of this paper is to help financial institutions, in particular their senior management, address business continuity planning in the context of the transition to the Year This issue should be at the top of the senior business decision-maker's agenda during It is important that firms understand the need to develop specific Year 2000 contingency plans as soon as possible and the reason why it is not possible to rely exclusively on existing plans for this purpose. Year 2000 continuity planning is about ensuring the continuous and efficient functioning of business activities during the transition to the new millennium, not about providing backup for computer systems. It should therefore be approached in a market and business context, not as a technical project, and should be treated as a top business priority by the boards and senior management of financial institutions. The focus should be on core business activities, that is, those on which the survival of the business depends. There are various critical stages in the transition to the Year These relate in the first instance to the different dates on which information systems might face date-related difficulties in the course of 1999 and They also relate to different deadlines which the firm might face for internal as well as external testing and for reacting to any unexpected problems that might occur at such times. Problems with the various external dependencies of the firm, including third-party suppliers, market infrastructures, counterparties, clients and public utilities, might occur at different times during the transition. Finally, the firm will have to carefully approach the century date change in its computer applications, for instance by freezing system changes at the end of 1999 and gradually introducing new applications during the course of Planning for the various possible Year 2000 eventualities and developing procedures for dealing with any contingencies will take time. This is why financial firms should start their Year 2000 continuity planning as soon as possible. To delay starting is to risk business interruption and may diminish the credibility of the business in the eyes of customers, counterparties and other third parties (including financial market regulators). Increasingly, as 1999 progresses, institutions should ensure that they are ready to provide factual information about the state and nature of their Year 2000 preparedness and continuity planning. Requests for information could originate, internally, from the different business units and, externally, from those parties to which the firm s business continuity is important. It will therefore be important for the firm to develop appropriate communication strategies, both internal and external. Part 1 of this paper explains in more detail why all financial institutions must develop Year 2000 business continuity plans and why work should start as soon as possible. It also describes the general approaches that should be adopted in developing and implementing plans, and the responsibilities of senior management. Part 2 provides more specific guidance on the main features of a business continuity project. Good practice on this topic will evolve as 1999 progresses and firms are actively encouraged to study how they can include existing and evolving best practices in their own approach. In this respect, cooperation with other financial market participants and with regulators will be useful. The Joint Year 2000 Council or its parent committees may publish further guidance if this seems appropriate. 1
2 1. The general approach to Year 2000 business continuity planning In order to develop an effective and workable approach to Year 2000 business continuity planning, senior management must understand the challenges involved in ensuring business continuity during the transition to 2000 and the need to start work in this respect as soon as possible. This part of the paper addresses these issues and explains the general approach to Year 2000 contingency planning. 1.1 The importance of Year 2000 business continuity planning Financial institutions throughout the world are actively addressing the Year 2000 problem. The focus has been on awareness, assessment, remediation, testing and implementation with a view to achieving business continuity so far as mission critical business activities are concerned. Many observers believe that financial sectors in many countries will achieve a high state of Year 2000 preparedness. However, because of the nature of the Year 2000 problem, no institution will be able to assume that it has removed all threats to business continuity. Even if an institution believes that it has reasonable grounds for a high degree of confidence in the effectiveness of its own Year 2000 programme, and in the Year 2000 programmes of others, it will remain possible for problems to occur in different areas. These include: the firm s own systems; the systems of an entity to which it has outsourced some of its operations; the systems of a financial infrastructure provider such as a clearing and settlement system or message carrier; and the systems of a major business dependency such as a correspondent, trading counterparty or large client. Moreover, the firm itself and all the relevant external parties are vulnerable to possible disruptions at public utilities such as telecommunications, electricity, water, sewage or transport operators. The nature and scale of Year 2000 challenges and programmes is such that there can be no certainty in advance that assessment, remediation, testing and implementation activity both within and outside the firm has been fully effective. 1 Although most problems are likely to be caused by operational failures, they will directly threaten business continuity. Thorough business continuity planning is therefore a matter of simple prudence and it must be an integral part of every institution s Year 2000 strategy. Most institutions have contingency plans, for example for computer breakdowns or fire or other physical disasters. These may be a valuable starting-point for Year 2000 continuity planning. However, conventional contingency plans will not be adequate to deal with Year 2000 problems. For example, backup computer systems are likely to replicate faults in the main hardware and software systems and may not be available if they are maintained at sites operated by a third party that could face Year 2000 difficulties. 2 Difficulties could also be encountered in different business areas at the same time, and initially small and localised problems could combine to create larger disturbances. Problems, one s own or those of others, might well be more difficult to diagnose and may take longer to put right. Particular solutions may not work if adopted and used simultaneously by a large number of institutions (e.g. simultaneous mass faxing if there is a problem with voice telephony). Most importantly, the behaviour and perception of external parties, including customers, trading counterparties and correspondents, may change individually or collectively (on the basis, for instance, of rumour or speculation). A further important factor is that although 1 January 2000 (like other sensitive dates in this context) is fixed, information for example about an institution, industry sector or region's preparedness is likely 1 2 See the Joint Year 2000 Council's paper "Scope and Impact of the Year 2000 problem". The capacity of backup sites provided by third parties might also prove insufficient if a large number of customers request support at the same time. 2
3 to emerge throughout the period before, during and after 1 January This will require the risks to be reassessed on an ongoing basis and the plans to be adapted accordingly. 1.2 The need to start Year 2000 continuity planning as soon as possible Given all that is involved, the start of continuity planning cannot be left until the end of Year 2000 preparatory work. At the same time, continuity planning must not be done in a way which prejudices the successful and timely completion of the other key elements of a Year 2000 programme. For the reasons given above, institutions must treat the Year 2000 as a potential problem without precedent. The issues that need to be addressed are many and wide-ranging. Institutions must carry out a specific Year 2000 risk assessment and will need to draw up new plans to address the risks they identify. They should, as far as possible, test those plans in advance. Developing and implementing a credible plan will therefore require significant resources and effective organisation. No doubt this will also take time, and work should therefore be started as soon as possible. To delay starting is to risk not having an adequate plan in time. All institutions should aim to have a business continuity project in place as early as possible, preferably by the end of the first quarter of The project should include a timetable which provides for a business continuity plan to be completed by September Throughout the process, institutions need to ensure that work is prioritised so that there is an appropriate focus both in terms of what is most critical to the business and in terms of timing (e.g. between pre and post-1 January 2000 issues). 1.3 The general approach to Year 2000 continuity planning For all institutions, addressing such an unprecedented problem will be very challenging. Many will have their own approach to contingency planning, which may well provide a sound methodology, and there are advantages in using familiar methods. However, what is essential is the full and active involvement of senior management and all business units in the process. Most institutions will look in the first instance to their own resources, for example within their Year 2000 programme 3 or their risk management teams, supported by internal audit, to address Year 2000 continuity planning. However, given the unprecedented characteristics of the problem, every institution should make itself open to outside information, advice and support in order to receive the full benefit of professional expertise and practical experience as well as, if necessary, the requisite resources. Particular caution should be exercised with regard to relying on resources employed in the Year 2000 programme for the development and implementation of a Year 2000 continuity project. One reason is that the Year 2000 programme will involve rigorous and continuous testing and careful implementation of remediated systems throughout Technical experts involved in the Year 2000 programme will also need to remain available during all the important phases in the transition to 2000 in order to deal with any unexpected difficulties that might arise. Part 2 of this paper contains more specific guidelines on the development and implementation of the business continuity project. These are based on a number of guides to Year 2000 contingency planning that are now available from, or are being prepared by, regulatory organisations or trade bodies (see Annex). Specialist consultancy and accounting firms have also developed guidelines for proper Year 2000 contingency planning. Moreover, some individual firms which have recognised at an early stage that the Year 2000 should not be treated as a competitive issue have been willing to share information on their own practice and 3 To avoid confusion in this document, the main Year 2000 project aimed at remediating and testing the systems is called the Year 2000 programme, while the project aimed at providing business continuity is called the Year 2000 business continuity project. 3
4 experience. Finally, in some cases national Year 2000 coordinators are providing guidance to companies. Most of these documents clearly state that Year 2000 business continuity is not a technical issue and should receive the attention of senior managers. Their involvement is required to ensure appropriate accountability and commitment, proper organisation and extensive coverage. It will be their responsibility to take decisions that relate to the core business strategies. With respect to accountability, senior management should sponsor the business continuity project and provide adequate resources to put in place an effective business continuity plan in good time. They must ensure the adequate participation of all major business units. They will have to approve the risk assumptions and analysis and endorse the plans for risk mitigation and management. As with the Year 2000 readiness programmes, the development of the business continuity project will require proper organisation. A timetable, with milestones, will need to be drawn up and adhered to, which will necessitate conferring the proper authority on the project group. Coordination with the main Year 2000 readiness programme as well as with the major business units will be a major challenge. A proper organisation team(zero day management) has to be put in place for the Year 2000 transition period. This team should be responsible for collecting and disseminating information inside and outside the institutions and should have decision-making capabilities. Ensuring extensive coverage of the Year 2000 continuity project will require executive attention. Adequate assumptions, scenarios and plans will need to be developed to cover the risks to which the firm is exposed before, during and after 1 January 2000, including operational, financial and reputational risks. This should take into account the vulnerabilities to the firm s own systems as well as to those of relevant external parties. 2. Guidelines on business continuity projects This part of the paper provides more specific guidance on the development and implementation of a business continuity project. Institutions should consider it in the context of their own particular circumstances, organisation and working methods. 2.1 Establish high-level commitment to a business continuity project The purpose of a business continuity project is to maximise the ability of the business to maintain a minimum level of outputs and services and the confidence of customers, counterparties and other key third parties in adverse circumstances. It should also help to identify alternatives to normal business processes and to prepare for a possible crisis. In the event of emergency measures being invoked, the business continuity project should facilitate the rapid resumption of normal service. The establishment of a business continuity project may be a matter of business survival. It requires the rigorous identification of the risks to what is critical for adequate business continuity as well as the development and implementation of strategies to reduce those risks (risk prevention) or to mitigate the impact of any problems that occur in practice (risk mitigation). As indicated in Part 1, the exposure to risk during the transition to the Year 2000 is likely to be greater than normal. Accordingly, it is prudent for institutions to assume that problems of some kind will occur and that those problems may well be unusual. Nevertheless, institutions should take existing business continuity plans into account and retain what remains appropriate in a Year 2000 context. An effective project will be a complex, business-critical and resource-intensive task. It is essential that boards and senior managements take direct responsibility for the establishment of a project with the objective of achieving an agreed business continuity plan and for the allocation of sufficient resources. Their input is essential, in particular with respect to the formulation of the strategic business priorities 4
5 that will need to be reflected in the plan. They must also lend the project the necessary support to ensure that its importance and priority are recognised by the business as a whole. Finally, they should monitor its execution, on the basis of regular reporting. The business continuity project should be given an identified project manager and a project team of a sufficient size and quality to ensure its timely completion. All relevant business areas also need to be involved in the project in order to ensure their commitment and contribution of expertise and knowledge. This is likely to encompass the major business units, disaster recovery specialists, systems and operations units, and legal counsel. The relationship of the project to the Year 2000 programme should be made clear. It should ensure the effective exchange of relevant information and coordination between the two projects. As explained in Part 1, the objectives and scope of the two projects are different and it is therefore advisable to establish them separately, with different project managers and staff. The business continuity project is likely to be most effective if it is sponsored by senior management. 2.2 Establish a project plan and timelines A first task of the project team should be to establish a project plan which identifies the scope of the project, allocates responsibilities for each project task and lays down timelines for each stream of work. This plan should be approved by the project team as a whole and endorsed by senior management. The timelines should be sufficiently detailed, with milestones, to enable progress on the plan to be regularly reviewed by both the team and senior management. The scope of the project plan, and the timelines, should be kept under review and adjusted as necessary, in the light of experience or new information. Any threats to the achievement in good time of an effective business continuity strategy should be identified and addressed as and when they arise. 2.3 Identify business critical systems and processes An essential objective of the business continuity project would be to identify what is critical to the continuity of business. This includes the key systems and processes which support the critical services and the internal and external dependencies which are crucial to the business. Much of this information should have been obtained in the context of the Year 2000 programme. However, the business continuity project should itself ensure that the risks to business continuity are addressed comprehensively. The project team should therefore review the analysis made in the main programme. The business continuity project and the Year 2000 programme should generally agree on what is considered to be business-critical so that the business as a whole operates on the basis of a consistent, agreed analysis. Any inconsistencies or disagreements should be resolved at senior level. 2.4 Establish a risk identification and assessment methodology To meet the primary purpose of an effective business continuity project it is essential to put in place a methodology for identifying the risks to business continuity and assessing their potential impact. That methodology must then be applied across the business as a whole. The methodology should be one which is practical, straightforward and readily understood by all those in the business who need to use it. It should also ensure comprehensive risk identification and assessment and be cost-effective. The identification of the business's key processes, systems and dependencies (both internal and external) should provide the starting-point for identifying the risks. The business continuity project should consider the risks attaching to the Year 2000 programme itself, such as the failure to complete the programme in time and inadequacies or errors in one of the programme elements (e.g. inventory or testing). In addition, the business continuity project must consider the risks arising from the overall environment in which the business operates. These risks are likely to fall into one of three broad categories: operational risks, credit and liquidity risks and reputational risks. 5
6 Operational risks could arise from failures in internal systems, problems with facilities such as lifts, air-conditioning, heating or backup power supplies, and disruptions in the services provided by utilities such as water, electricity and telecommunications. They could also result from disturbances in financial market infrastructure elements such as payment and settlement systems, exchanges, market information providers or message carriers. Special attention should also be paid to the fact that frauds may be attempted when operational difficulties are experienced and normal business functioning (and security) is impaired. Credit and liquidity risks are the typical financial risks to which financial institutions are exposed. Credit risk involves the possible financial loss as a result, for instance, of a counterparty default or the depreciation in value of the assets held by the institution. Liquidity risk arises when financial institutions face unexpected cash-flow positions and either have to fund cash-flow shortfalls at short notice and unfavourable terms or invest surplus funds under unattractive conditions. In the context of the Year 2000, such risks can arise in different ways when financial institutions cannot carry out their business as usual. Particular concerns relate to the ability of firms to trade and settle under normal conditions and markets to function smoothly and with the needed liquidity when uncertainty increases. Reputational risk can occur when a financial institution is seen to be poorly prepared to deal with operational or financial difficulties and when incidents occur that impair the institution's ability to operate normally and efficiently. This can result in the institution being negatively perceived by customers, counterparties or market participants. Given the degree of uncertainty about Year 2000 preparations, as well as the multiple interdependencies between financial market participants and their joint dependence on third-party service providers, it is likely that financial firms will face Year 2000 disruptions. There is therefore strong potential for the reputation of financial firms to be negatively affected by Year 2000 difficulties in the financial system (whether real or perceived). 4 Institutions need to be imaginative in identifying the possible risks. All parts of the business need to be involved to ensure that the process of risk identification results in a comprehensive list of perceived risks to business continuity. For each of the types of risk identified, a proper assessment must be made of the probability of the risk occurring and the impact on the business if it does occur. The impact assessment should make explicit assumptions about the expected duration of a problem, for example, one hour, one day or one week. The purpose of this assessment is to enable the business to identify those risks which are most likely to occur and whose impact could be significant. It would also allow the identification of those risks whose impact would be very high, even if the probability of occurrence is low. A simple methodology can be used, for instance classifying probability and impact (separately) on a high/medium/low basis. It is essential that the analysis involve those in the business who are best placed to make the assessment by virtue of their knowledge, experience or expertise. In particular, business managers, who are in the best position to identify, assess and address risks to business viability, should be directly involved. 2.5 Develop risk prevention and mitigation measures After carrying out making the risk assessment, judgements should be made as to which risks present sufficient threats to the business to require the development of strategies and actions to prevent them arising or to mitigate their impact if they do arise. These judgements should be the basis for prioritising work in the project. There may be various options for risk prevention and mitigation, including: 4 As indicated in the Council s policy paper on disclosure and information sharing (January 1999) this is one reason for financial firms to take voluntary action to publicly disclose information about their readiness programmes and contingency plans. 6
7 continuous review of results of tests on own systems (including those with embedded chips) and those of external parties; rigorous prior assessment and continuous review of readiness and contingency plans of key market infrastructure providers, customers, counterparties, public utilities and government agencies; reducing legal exposure, for instance by renegotiating contracts or revising documentation; developing an effective disclosure and communications strategy; working with other market participants, industry associations and market infrastructure providers to review best practices and, where appropriate, develop joint initiatives, for instance with respect to market practices; enhancing liquidity and access to liquidity; developing alternatives to normal business processes, for instance manual procedures or access to alternative types of trading procedure; disaster recovery plans in the event of problems with availability of buildings, staff, etc. Options should be chosen according to the likely seriousness of the expected disturbances and on the basis of their feasibility and the general business priorities. The overall objective should be to prepare to deal with contingencies without creating a false sense of security or an unnecessary degree of anxiety. Particular attention should be paid to internal and external communication strategies. 2.6 Zero day information management, communications and decision-taking A business must be organised and prepared in the run-up to, on and after 1 January 2000, the so-called zero day, to acquire and use information about itself, about third parties and about the general environment, including the infrastructure that may be relevant to business continuity. Information must be available at all times to allow rapid decisions to be made in response to developments in order to sustain business continuity. Finally, a firm must be able to communicate about its own status to regulators, business partners, customers and the media. For this purpose, the business should, well in advance, identify the information likely to be required by itself and by others, the sources of that information, the means of obtaining it and the persons to whom the information is to be made available. This is likely to have implications for communications arrangements, internal and external, and for the availability of personnel. The business should also, well in advance, determine the management arrangements for decisionmaking and the staff who will need to be involved in those arrangements. The facilities and support necessary to ensure that arrangements work efficiently should also be identified. A business may consider it necessary to establish one or more communications or command centres to facilitate the dissemination of information and the monitoring of developments. Appropriate channels for information flows should enhance internal consultation and decision-making. To be effective, all these arrangements should be tested in advance. 2.7 Process discipline All risk prevention and mitigation plans should be developed in accordance with strict process disciplines. This would require: precise documentation of each risk and of the related prevention or mitigation strategy; allocation of responsibility to an individual to develop and implement the strategy; and approval at the appropriate management level of the strategy and implementation plans. It is also essential that, so far as practicable, each plan be tested to identify gaps or problems and to verify its credibility. Where necessary, the plan should be modified in the light of the tests. Those who will have to implement the plan must receive appropriate guidance and training. 7
8 Throughout the period before, during and after 1 January 2000, the business must be constantly on the alert for new developments or information that may change the risk identification or assessment or the assumptions made. The business continuity plan should be adjusted as necessary. In particular, in the context of business continuity planning as in the main remediation programme, institutions must be alert to the implications of and risks attaching to changes made by the business to IT systems or programmes, or to business processes, outside Year 2000 projects. Institutions should seek to minimise such changes, particularly as 1 January 2000 approaches. 5 5 Refer to Council s press statement and quote private and public sector recommendation to change management 8
9 Annex Source Date Title Available from French financial sector (supervisory authorities and market participants) February 1999 Addendum to the White Book on the Year 2000 changeover - Business continuity after Global 2000 Coordinating Group January 1999 Year 2000 Business Risk Management Hong Kong Monetary Authority December 1998 Guidance Note on Year 2000 Contingency Planning by Authorised Institutions /guideline/ htm Bank of Japan November 1998 Guidance on Year 2000 Contingency Planning US General Accounting Office (GAO) August 1998 Year 2000 Computing Crisis: Business Continuity and Contingency Planning s/bcpguide.pdf British Bankers Association October 1998 Year 2000 Contingency Planning Guide (BBA) Federal Financial Institutions Examination Council (FFIEC) 13 May 1998 Guidance concerning Contingency Planning in connection with Year 2000 Readiness 9
Vendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationAdvisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management
Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationConsider the cash demands of a financial institution's customers; Anticipate funding needs in late 1999 and early 2000;
AL 98-18 Subject: Year 2000 Q&A Guidance Date: December 10, 1998 TO: hief Executive Officers of National Banks, Federal Branches, Service Providers, Software Vendors, Department and Division Heads, and
More informationISSUES PAPER PAYMENT SYSTEMS BUSINESS CONTINUITY
ISSUES PAPER PAYMENT SYSTEMS BUSINESS CONTINUITY 10 May 2005 ISSUES PAPER PAYMENT SYSTEMS BUSINESS CONTINUITY TABLE OF CONTENTS Executive Summary 3 Introduction 4 Evolution of Core Principle VII 4 1. Formulation
More informationFederal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION
Federal Financial Institutions Examination Council FFIEC Business Continuity Planning MARCH 2003 MARCH 2008 BCP IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND SENIOR MANAGEMENT
More informationHow To Assess A Critical Service Provider
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight
More informationOperational Risk Management Policy
Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well
More informationMonetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES
Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES June 2003 TABLE OF CONTENTS 1.0 INTRODUCTION... 1 1.1 READINESS IS YOUR ONLY PROTECTION... 1 1.2 APPLICATION OF THE GUIDELINES...
More informationFederal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK
Federal Financial Institutions Examination Council FFIEC Business Continuity Planning BCP FEBRUARY 2015 IT EXAMINATION H ANDBOOK Table of Contents Introduction 1 Board and Senior Management Responsibilities
More informationGUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004
GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE October 2004 1 1. Introduction Guaranteeing the efficiency and correct operation of money and financial
More informationConsultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions
Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology
More informationBusiness Continuity Business Continuity Management Policy
Business Continuity Business Continuity Management Policy : Date of Issue: 28 January 2009 Version no: 1.1 Review Date: January 2010 Document Owner: Patricia Hughes Document Authoriser: Tony Curtis 1 Version
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationINSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES
SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting
More informationRisk Management Systems of the Resona Group
Systems of the Resona Group RESONA HOLDINGS, INC. Systems of the Resona Group 24 Systems Basic Approach to The trends toward financial liberalization, globalization, and securitization, along with progress
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationPolish Financial Supervision Authority. Guidelines
Polish Financial Supervision Authority Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings Warsaw, 16 December 2014 Table of Contents
More informationGUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK
SUPERVISORY AND REGULATORY GUIDELINES: PU-0412 Operational Risk 25 th November, 2013 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK 1. INTRODUCTION 1.1. The Central Bank of The Bahamas ( the Central
More informationGAO. Year 2000 Computing Crisis: Business Continuity and Contingency Planning
GAO United States General Accounting Office Accounting and Information Management Division August 1998 Year 2000 Computing Crisis: Business Continuity and Contingency Planning GAO/AIMD-10.1.19 Preface
More information: Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd.
March 29, 2006 BCP Guidelines No: 01/2006 To : Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd. Introduction
More informationTHE DOMESTIC SURVEY AND THE CONSEQUENT RECOMMENDATIONS
OVERSIGHT RECOMMENDATIONS ON BUSINESS CONTINUITY BACKGROUND OF THE DOMESTIC SURVEY Unexpected incidents worldwide have focused the attention of the financial sector, including the participants of the domestic
More informationSupervisory Policy Manual
This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue
More informationStatement of Guidance
Statement of Guidance Foreign Exchange Risk Management 1. Statement of Objectives To provide a standard of best practice to banks for the implementation of an effective and sound Foreign Exchange Risk
More informationPBSi Business Continuity Planning
Business Continuity Planning Definition Business Continuity planning is a planning process designed to reduce the risk that disruptive failures or events could seriously harm your business. It is designed
More informationSUPERVISORY AND REGULATORY GUIDELINES: PU19-0406 BUSINESS CONTINUITY GUIDELINES
SUPERVISORY AND REGULATORY GUIDELINES: PU19-0406 Business Continuity Issued: 1 st May, 2007 Revised: 14 th October 2008 BUSINESS CONTINUITY GUIDELINES I. INTRODUCTION The Central Bank of The Bahamas (
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInsurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive
Insurance Guidance Note No. 14 Transition to Governance Requirements established under the Solvency II Directive Date of Paper : 31 December 2013 Version Number : V1.00 Table of Contents General governance
More informationRISK MANAGEMENT AND COMPLIANCE
RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationDecision on recovery plans of credit institutions. Subject matter Article 1
Pursuant to Article 101, paragraph (2), item (8) and Article 154, paragraph (2) of the Credit Institutions Act (Official Gazette 159/2013) and Article 43, paragraph (2), item (9) of the Act on the Croatian
More informationNORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)
NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy
More informationNovember 2007 Recommendations for Business Continuity Management (BCM)
November 2007 Recommendations for Business Continuity Management (BCM) Recommendations for Business Continuity Management (BCM) Contents 1. Background and objectives...2 2. Link with the BCP Swiss Financial
More informationBusiness Continuity and Disaster Recovery Planning
Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services
More informationAdvisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities
Advisory Guidelines of the Financial Supervision Authority Requirements for Organising the Business Continuity Process of Supervised Entities These advisory guidelines were established by Resolution No
More informationPrudential Practice Guide
Prudential Practice Guide LPG 232 Business Continuity Management March 2007 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal
More informationCapital Adequacy: Advanced Measurement Approaches to Operational Risk
Prudential Standard APS 115 Capital Adequacy: Advanced Measurement Approaches to Operational Risk Objective and key requirements of this Prudential Standard This Prudential Standard sets out the requirements
More informationGuidance on Risk Management, Internal Control and Related Financial and Business Reporting
Guidance Corporate Governance Financial Reporting Council September 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting The FRC is responsible for promoting
More informationRisk Management Programme Guidelines
Risk Management Programme Guidelines Submissions are invited on these draft Reserve Bank risk management programme guidelines for non-bank deposit takers. Submissions should be made by 29 June 2009 and
More informationTO CREDIT UNIONS DATE: June 10, 1998
NATIONAL CREDIT UNION ADMINISTRATION NATIONAL CREDIT UNION SHARE INSURANCE FUND LETTER LETTER NO.: 98-CU-12 TO CREDIT UNIONS DATE: June 10, 1998 SUBJECT: Business Resumption Contingency Planning Letter
More informationBUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE
BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE Introduction 1. Recently many organisations both public and private have directed much more time, money and effort towards protecting service
More informationReport on Internal Control
Annex to letter from the General Secretary of the Autorité de contrôle prudentiel to the Director General of the French Association of Credit Institutions and Investment Firms Report on Internal Control
More informationRISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer
RISK MANAGEMENT FRAMEWORK 1 SUMMARY The Risk Management Framework consists of the following: Risk Management policy Risk Management strategy Risk Management accountability Risk Management framework structure.
More informationHow To Manage A Financial Institution
BUSINESS CONTINUITY MANAGEMENT GUIDELINE April 2010 Table of Contents Preamble...3 Introduction...4 Scope...5 Coming into effect and updating...6 1. Continuity and resumption of business...7 2. Sound and
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationBusiness Continuity (Policy & Procedure)
Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity
More informationBusiness Continuity Management Governance. Frank Higgins Abu Dhabi March 2015
Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity
More informationIT Disaster Recovery Plan Template
HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned
More informationHow To Manage A Business Continuity Strategy
Business continuity strategy 2009 2012 Table of contents 1 Why this strategy is needed 3 2 Aim of the strategy 4 3 Our approach to business continuity 4 PROCESS 4 STRUCTURE 5 DOCUMENTATION 6 DISRUPTION
More informationInternal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)
Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC) 1 Introduction 1.1 Section 316 (4) of the International Business
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationBUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3
More informationSound Practices for the Management of Operational Risk
1 Sound Practices for the Management of Operational Risk Authority 1.1 Section 316 (4) of the International Business Corporations Act (IBC Act) requires the Commission to take any necessary action required
More informationBusiness continuity management (BCM) for insurance companies in Switzerland minimum standards and recommendations
Business continuity management (BCM) for insurance companies in Switzerland minimum standards and recommendations June 2015 2 Publication details Recipients: All insurance companies supervised by Finma
More informationBusiness Continuity Planning and Disaster Recovery Planning
4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business
More informationOffsite Disaster Recovery Plan
1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationIntroduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT
INFORMATION SECURITY: UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT FACTSHEET This factsheet will introduce you to Business Continuity Management (BCM), which is a process developed to counteract systems
More information<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP
IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement
More informationGuidance Note: Stress Testing Class 2 Credit Unions. November, 2013. Ce document est également disponible en français
Guidance Note: Stress Testing Class 2 Credit Unions November, 2013 Ce document est également disponible en français This Guidance Note is for use by all Class 2 credit unions with assets in excess of $1
More informationSolvency II Detailed guidance notes
Solvency II Detailed guidance notes March 2010 Section 1 - System of governance Section 1: System of Governance Overview This section outlines the Solvency II requirements for an effective system of governance,
More informationAugust 2013 Recommendations for Business Continuity Management (BCM)
August 2013 Recommendations for Business Continuity Management (BCM) 1 Background and objectives... 2 2 Principles... 3 3 Scope of application and threats... 4 4 Recommendations... 6 4.1 Definition and
More information(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For
Unofficial Translation by the courtesy of The Foreign Banks' Association This translation is for the convenience of those unfamiliar with the Thai language. Please refer to the Thai text for the official
More informationElectronic Trading Information Template
Electronic Trading Information Template Preface This Electronic Trading Information Template (the "Template") has been created through the collaborative efforts of the professional associations listed
More informationEMERGENCY PREPAREDNESS POLICY
EMERGENCY PREPAREDNESS POLICY CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: Policy Emergency Planning PURPOSE This document sets out the strategic framework for the management of emergency preparedness
More informationPROJECT MANAGEMENT FRAMEWORK
PROJECT MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Executive Assistant to
More informationInternal Audit Standards
Internal Audit Standards Department of Public Expenditure & Reform November 2012 Copyright in material supplied by third parties remains with the authors. This includes: - the Definition of Internal Auditing
More informationINTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS
Issues Paper INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS RISKS TO INSURERS POSED BY ELECTRONIC COMMERCE OCTOBER 2002 Risks to Insurers posed by Electronic Commerce The expansion of electronic commerce,
More informationCyber Security Risk Management
Our Ref.: B1/15C B9/29C 15 September 2015 The Chief Executive All Authorized Institutions Dear Sir/Madam, Cyber Security Risk Management I am writing to draw your attention to the growing importance of
More informationStatement of Guidance
Statement of Guidance Business Continuity Management All Licensees 1. Statement of Objectives 1.1. To enhance the resilience of the financial sector and to minimise the potential impact of a major operational
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationRisk Management Framework
Risk Management Framework Mandate and commitment Design of framework for managing risks Continual improvement of the framework Implementing risk management Monitoring and review of the framework Source:
More informationCapital Market Services UK Limited Pillar 3 Disclosure
February 2013 Capital Market Services UK Limited Pillar 3 Disclosure Contents 1.0 Overview 2.0 Frequency and location of disclosure 3.0 Verification 4.0 Scope of application 5.1 Risk Management objectives
More informationCorporate Risk Management Policy
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
More informationNOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE
STAATSKOERANT, 19 DESEMBER 2014 No. 38357 3 BOARD NOTICE NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE LONG-TERM INSURANCE ACT, 1998 (ACT NO. 52
More informationCharities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management
Charities & Not for Profit Protecting your organisation, supporting its success Risk Management Insurance Employee Benefits Investment Management Charities are there to help those in need. But who helps
More informationPrudential Practice Guide
Prudential Practice Guide SPG 232 Business Continuity Management July 2013 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal
More informationBusiness Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?
Business Continuity Is your Business Prepared for the worse? Major emergencies can develop suddenly without warning. Situations can threaten and disrupt your business and impact upon you and your staff.
More informationBusiness Continuity Management. Policy Statement and Strategy
Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King
More informationBusiness Continuity Planning at Financial Institutions
Business Continuity Planning at Financial Institutions July 2003 Bank of Japan Table of Contents Introduction...2 1 The Bank s View of Business Continuity Planning 1) Significance of business continuity
More informationPORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)
PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3) 1st February 2006 Version 1.0 1 P3M3 Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce This is a Value
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationGUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES
20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal
More informationPolicy guidance on the Bank of Canada s risk-management standards for designated financial market infrastructures
Policy guidance on the Bank of Canada s risk-management standards for designated financial market infrastructures Standard 24: Recovery Plans This guidance was prepared by the Bank of Canada (the Bank)
More informationRisk Management Guidelines
Business Continuity Management Understanding Risk We live in an unpredictable world. No matter how effectively a business protects itself through insurance, there are some risks that cannot be anticipated,
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationHow To Manage A Disruption Event
BUSINESS CONTINUITY FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational
More informationProposed Code of Ethical Principles for Professional Valuers
INTERNATIONAL VALUATION STANDARDS COUNCIL Second Exposure Draft Proposed Code of Ethical Principles for Professional Valuers Comments to be received by 31 August 2011 Copyright 2011 International Valuation
More informationBusiness Continuity Management Policy
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
More informationRISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES
RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004 Risk Management Guidance CONTENTS Pages List of guidelines on risk management
More informationRisks and uncertainties
Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that
More informationSUPERVISION GUIDELINE
G u i d e l i n e s o n O u t s o u r c i n g P a g e 1 SUPERVISION GUIDELINE G10: GUIDELINES ON OUTSOURCING Issued To All Licensed Financial Institutions G u i d e l i n e s o n O u t s o u r c i n g
More information